Marc Kolenko is the chief cyber solutions architect at Intelligent Decisions, where he helps to provide clients continuous monitoring solutions that comply with federal mandates such as the Federal Information Security Management Act.
Before joining Intelligent Decisions, he served as an information assurance manager at Booz Allen Hamilton for a combined Defense Department-intelligence community fusion.
The U.S. Air Force veteran recently caught up with ExecutiveBiz to discuss challenges in complying with federal security mandates, how he helps agencies address those challenges and how he applies experiences from his military service in his current position.
ExecutiveBiz: What are the most common issues government agencies face when complying with FISMA?
Marc Kolenko: The biggest issue that I've seen while working on government client sites is that there aren't enough experienced certification and accreditation practitioners in terms of understanding the technical security aspects of the C&A process required for compliance, or the overall C&A methodology. Whether it's a four phase or a five phase C&A process, many C&A staff, whether contractor or government, don't fully understand what artifacts are needed to have a complete, clinical FISMA compliance package.
There are usually some extremely talented technical staff that are part of the remediation, analysis, and accreditation teams, but not enough. There is usually someone on the team that understands the methodology well enough, but there needs to be more staff that understand the nature of computer and network borne vulnerabilities, and whether a technical, operational or administrative countermeasure exists to neutralize that vulnerability ““ it's all about proper, cost-effective risk management.
ExecutiveBiz: How would you help agencies address this problem?
Kolenko: One of the things that we attempt to do is deploy staff to various DOD or at Intel community locations that understand both the administrative aspects of the C&A process, as well as the operational and technical. They understand which artifacts are required for a complete remediation package – system security plans, vulnerability management plans, configuration management plans, etc. They understand how to create those templates, but more importantly, how to draft responses in a way that a DAA or accrediting authority can understand the risk, as well as the plan to mitigate it. There are web site repositories with FISMA or DIACAP templates that are available for use. I-Assure is one site where you can download most DIACAP artifacts.
ExecutiveBiz: How do you help recruit, train and retain IT professionals in your company?
Kolenko: One of the things that I think I've always been a strong advocate of, and have found to be very effective is having a very strong intern program affiliated with local universities and colleges. I've seen great interns come from electrical engineering, computer science, information security engineering, and application/computer programming disciplines“¦ anybody that has some solid basic IT computer skills.
Developing a relationship is important and George Mason University is one that comes to mind. Bringing those interns in from their sophomore year on is vital for a couple of reasons. Number one, they start to build a relationship with your company. They get to learn in a real working, hands-on environment. So, they can become better practitioners by actually installing and setting up computer and network systems, managing them, assessing them for vulnerabilities, and remediating problems they find.
If they go through your intern program for 2-3 years, and you determine at some point in time that they are interested in coming to work for your company (and you are interested in tendering them an offer), you can even queue them up for clearances. So, by the time they graduate and they come to your organization, they're ready to go on site and do the real work at hand. I have found this to be an incredibly strong way to attract talent, especially if you can build a pipeline with some of your local institutions.
ExecutiveBiz: How does your U.S. Air Force officer background apply to your 28 years of business experience?
Kolenko: I was very fortunate to work in a mission critical field in support of national defense having to deal with satellites and sustaining engineering. I dealt with operations and maintenance of all the ground stations that controlled those platforms when I was an officer in the Air Force.
I worked with some incredibly experienced, savvy, and memorable colonels and generals. But, I'll tell you one of the most important things I learned from those gentleman and women was to be dependable and forthright. You would never get reprimanded for making a mistake, but you would if you knew a problem was looming, and you didn't identify it early enough or notify them and seek assistance. My experience back then was that they always had your back as long as you were forthcoming with them about the state of the situation you were working because we're talking about national technical means and capabilities of the highest priority. There was very little margin for error, sometimes none. I've taken that with me my entire life.
ExecutiveBiz: In what areas is Intelligent Decisions trying to grow, and what will your role be?
Kolenko: As we start going after some larger professional services opportunities, a couple of the areas that we're focusing on are computer network defense, information assurance, and technical counter intelligence. Beyond the more traditional certification and accreditation work, we want to offer our clients and potential customer's best in class network defense and mission assurance technologies through a variety of solution sets. For instance, continuous building out of a lifecycle solution set around that mandated government requirement. We want to help our clients understand the nature of vulnerabilities and exploits, why they may be targeted, how they might get compromised, and what they do to prevent that from happening.
If an organization believes that they have vulnerabilities and that they may have been compromised, or they've experienced an event or an incident but don't quite understand what happened, why it happened, how it happened, or who did it to them, we would come in, pull together what we think is the current state of their environment, and in effect give them a potential remediation plan, with the intention of helping them build that capability themselves. With the private sector, and especially if you're talking about companies where shareholder value matters, this has to be understood at the Board level. I believe “computer or network or cyber risk“ is somehow going to be characterized and factored into the future valuations of companies. I believe there may be laws that will eventually come down from Congress that stipulate, again, especially if you're a private sector company, that you must disclose or attempt to quantify this level of risk. If you are aware of vulnerabilities or issues of compromise, you're going to have report that ““ its fundamentally part of the value of your company.